+

WO2008017011A3 - Systems and methods for application-based interception and authorization of ssl/vpn traffic - Google Patents

Systems and methods for application-based interception and authorization of ssl/vpn traffic Download PDF

Info

Publication number
WO2008017011A3
WO2008017011A3 PCT/US2007/075035 US2007075035W WO2008017011A3 WO 2008017011 A3 WO2008017011 A3 WO 2008017011A3 US 2007075035 W US2007075035 W US 2007075035W WO 2008017011 A3 WO2008017011 A3 WO 2008017011A3
Authority
WO
WIPO (PCT)
Prior art keywords
application
client
communication
agent
virtual private
Prior art date
Application number
PCT/US2007/075035
Other languages
French (fr)
Other versions
WO2008017011A2 (en
Inventor
Amarnath Mullick
Charu Venkatraman
Junxiao He
Shashi Nanjundaswami
James Harris
Ajay Soni
Original Assignee
Citrix Systems Inc
Amarnath Mullick
Charu Venkatraman
Junxiao He
Shashi Nanjundaswami
James Harris
Ajay Soni
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/462,329 external-priority patent/US8869262B2/en
Priority claimed from US11/462,321 external-priority patent/US8495181B2/en
Application filed by Citrix Systems Inc, Amarnath Mullick, Charu Venkatraman, Junxiao He, Shashi Nanjundaswami, James Harris, Ajay Soni filed Critical Citrix Systems Inc
Priority to CN200780037175.8A priority Critical patent/CN101636998B/en
Priority to AU2007281166A priority patent/AU2007281166B2/en
Publication of WO2008017011A2 publication Critical patent/WO2008017011A2/en
Publication of WO2008017011A3 publication Critical patent/WO2008017011A3/en
Priority to HK10107195.6A priority patent/HK1140883A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection. Another method is described for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.
PCT/US2007/075035 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic WO2008017011A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN200780037175.8A CN101636998B (en) 2006-08-03 2007-08-02 Systems and methods for application based interception ssi/vpn traffic
AU2007281166A AU2007281166B2 (en) 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of SSL/VPN traffic
HK10107195.6A HK1140883A1 (en) 2006-08-03 2010-07-27 Systems and methods for application-based interception and authorization of ssl/vpn traffic

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/462,321 2006-08-03
US11/462,329 2006-08-03
US11/462,329 US8869262B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception of SSL/VPN traffic
US11/462,321 US8495181B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception SSI/VPN traffic

Publications (2)

Publication Number Publication Date
WO2008017011A2 WO2008017011A2 (en) 2008-02-07
WO2008017011A3 true WO2008017011A3 (en) 2008-07-03

Family

ID=38904791

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/075035 WO2008017011A2 (en) 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic

Country Status (4)

Country Link
CN (1) CN103384250B (en)
AU (1) AU2007281166B2 (en)
HK (1) HK1140883A1 (en)
WO (1) WO2008017011A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729543B (en) * 2009-12-04 2012-10-03 同济大学 Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9237168B2 (en) * 2012-05-17 2016-01-12 Cisco Technology, Inc. Transport layer security traffic control using service name identification
CN104092691A (en) * 2014-07-15 2014-10-08 北京奇虎科技有限公司 Implementation method and client of networked firewall without root authority
CN104144126B (en) * 2014-08-19 2018-01-23 北京奇虎科技有限公司 Method and system, the client of flow optimization are realized by image procossing
US9560078B2 (en) 2015-02-04 2017-01-31 Intel Corporation Technologies for scalable security architecture of virtualized networks
CN105049431B (en) * 2015-06-30 2019-02-15 深信服科技股份有限公司 Data access control method and device
CN109150751B (en) * 2017-06-16 2022-05-27 阿里巴巴集团控股有限公司 Network control method and device
CN109951575B (en) * 2017-12-20 2022-06-10 新智数字科技有限公司 Method and system for intercepting specified domain name
CN109543470A (en) * 2018-11-01 2019-03-29 郑州云海信息技术有限公司 A kind of storage equipment security access method and system
JP7515385B2 (en) * 2020-11-30 2024-07-12 シャープ株式会社 Information processing device, control method, and program
CN116055408A (en) * 2022-11-07 2023-05-02 中国银行股份有限公司 Service message transmission method, device and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
WO2002079949A2 (en) * 2001-03-30 2002-10-10 Netscreen Technologies, Inc. Internet security system
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates
US20050265351A1 (en) * 2004-05-27 2005-12-01 Hewlett-Packard Development Company, L.P. Network administration
US20060005240A1 (en) * 2004-06-30 2006-01-05 Prabakar Sundarrajan System and method for establishing a virtual private network
EP1641215A2 (en) * 2004-09-28 2006-03-29 Layer 7 Technologies, Inc. System and method for bridging identities in a service oriented architecture
US7096495B1 (en) * 2000-03-31 2006-08-22 Intel Corporation Network session management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7260599B2 (en) * 2003-03-07 2007-08-21 Hyperspace Communications, Inc. Supporting the exchange of data by distributed applications
US8572249B2 (en) * 2003-12-10 2013-10-29 Aventail Llc Network appliance for balancing load and platform services
US7818781B2 (en) * 2004-10-01 2010-10-19 Microsoft Corporation Behavior blocking access control
US20060130135A1 (en) * 2004-12-10 2006-06-15 Alcatel Virtual private network connection methods and systems

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US7096495B1 (en) * 2000-03-31 2006-08-22 Intel Corporation Network session management
WO2002079949A2 (en) * 2001-03-30 2002-10-10 Netscreen Technologies, Inc. Internet security system
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates
US20050265351A1 (en) * 2004-05-27 2005-12-01 Hewlett-Packard Development Company, L.P. Network administration
US20060005240A1 (en) * 2004-06-30 2006-01-05 Prabakar Sundarrajan System and method for establishing a virtual private network
EP1641215A2 (en) * 2004-09-28 2006-03-29 Layer 7 Technologies, Inc. System and method for bridging identities in a service oriented architecture

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729543B (en) * 2009-12-04 2012-10-03 同济大学 Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology

Also Published As

Publication number Publication date
HK1140883A1 (en) 2010-10-22
CN103384250A (en) 2013-11-06
WO2008017011A2 (en) 2008-02-07
AU2007281166B2 (en) 2011-12-15
CN103384250B (en) 2017-04-26
AU2007281166A1 (en) 2008-02-07

Similar Documents

Publication Publication Date Title
WO2008017011A3 (en) Systems and methods for application-based interception and authorization of ssl/vpn traffic
CN111490993B (en) Application access control security system and method
US11263305B2 (en) Multilayered approach to protecting cloud credentials
US10630725B2 (en) Identity-based internet protocol networking
JP7027348B2 (en) Platform for computing at the mobile edge
US20220103515A1 (en) Split tunneling based on content type to exclude certain network traffic from a tunnel
US20200389437A1 (en) Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter
EP2850770B1 (en) Transport layer security traffic control using service name identification
US20190116206A1 (en) Network Application Security Policy Enforcement
US20200021618A1 (en) Distributed Network Application Security Policy Enforcement
WO2006004725A3 (en) System and method for establishing a virtual private network
US20090113517A1 (en) Security state aware firewall
WO2007042826A3 (en) Remote access to resources
CN101136777A (en) Security management method of dual-encryption channel cooperation in network management system
WO2010021954A3 (en) System and method for a wpan firewall
WO2013018028A3 (en) Authentication policy enforcement
EP2974355A2 (en) A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network
WO2017208079A3 (en) Method and system for improving network security
Yan et al. Study on security of 5G and satellite converged communication network
SA522431490B1 (en) Method for Data Center Network Segmentation
KR20150114921A (en) System and method for providing secure network in enterprise
CN114640512B (en) Security service system, access control method, and computer-readable storage medium
CN116827646A (en) Terminal flow agent and access control method based on eBPF
RU2008109223A (en) ENSURING AN AGREED ACCESS TO THE FIREWALL WITH INFORMATION ON THE APPLICATION
CN109561099A (en) A kind of equipment telecommunication encryption method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780037175.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07813683

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 2007281166

Country of ref document: AU

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2007281166

Country of ref document: AU

Date of ref document: 20070802

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07813683

Country of ref document: EP

Kind code of ref document: A2

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载